crowd-sourcing cybersecurity through the ren- isac community · 2017-03-22 · crowd-sourcing...
TRANSCRIPT
Crowd-sourcing CyberSecurity through the REN-ISAC Community
Chris O’Donnell
REN-ISAC Background
MISSION
● Overall – serve the Research and Higher Educationspace and promote operational security
● CSIRT Role● Operate a trusted community● Work with other ISACs and others external parties
FACTS AND FIGURES
▪ Hosted at Indiana University▪ Board of Directors▪ Advisory groups ▪ Ad hoc special interest groups and projects▪ Over 500 member institutions and over
1600 member representatives
Threat Landscape
INFOSEC IS #1 IT ISSUE IN HIGHER ED, 2016 *AND AGAIN IN 2017*
* Educause Top 10 IT Issues 2016 and 2017
THREAT TRENDS
§ Motive?§ The threat actor is external to the
organization§ Time to compromise is < one hour§ Time to discover a breach occurred >
than one day
DATA BREACHES IN HIGHER EDUCATION
62
8582
76
5157
47
60
33
2216
19
0
10
20
30
40
50
60
70
80
90
2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016
Source: Privacy Rights Clearinghouse
WHERE IS EDUCATION ON THE LIST?
SENSITIVE DATA BREACHES
RANSOMWARE
RECENT SURVEY RESULTS
Increasing employee education and awareness efforts 19 (70%)Tightening spam filters on email systems 11 (41%)Accelerating the institutions move to cloud storage 1 (4%)Reminding system administrators to verify/test backups, check schedules 9 (33%)Updating institutional policies / standards 2 (7%)
What Are You Doing to Mitigate the Risk of Ransomware? (N=27)
MOBILE
§ Mobile use is increasing§ Lots of older unpatched OSes§ 3rd party app stores§ Malicious apps on primary app stores
INSIDER THREAT
PHISHING
§ Primary attack vector for online crime§ Spear-phishing / Whaling
RECENT SURVEY RESULTS
DENIAL OF SERVICE ATTACKS
�Amplification via vulnerable protocols, e.g. NTP
�Increasing use of Internet connected devices (IoT)
DENIAL OF SERVICE ATTACKS
COMPROMISED CREDENTIALS
Crowdsourcing Cybersecurity Through the REN-ISAC Community
RELATIONSHIPS
§ Sector ISAC
§ Members
§ 3rd Parties
CONCERNS
How do we help?
CSIRT for EDU Space
SOC ACTIVITY – MOSTLY AUTOMATED
Notifications Q1 Q2 Q3 Q4Compromisedmachines 23,943 16,911 13,589 12,661Compromisedcredentials 13,162 1,037,881 5,094 1,141,653SpamorPhish 117 86 111 1,995Vulnerablemachines 1 39 2 11OpenrecursiveDNSresolvers 793 713 607 655Openmailrelays 52 25 37 34Other 1 3 5 1
Totals 38,069 1,055,658 19,445 1,157,010
REN-ISACCSIRTActivity,YTD2016
SOC ACTIVITY - MANUAL
Notifications Q1 Q2 Q3 Q4NotificationQuestions 429 626 278 194Passwordresets 105 100 75 60Notifications 51 21 50 38Other 177 627 477 371
Totals 762 1,374 880 663Non-interactivetickets 2,060 2,611 3,302 3,026
REN-ISACSOCActivity,YTD2016
SHARING INTEL
ALERTS, ADVISORIES, AND REPORTS
§ Advisories on various threats
§ Daily Watch
COMMUNITY SHARING
§ Community of trusted cybersecurity staff at R&E member institutions
§ Confidentiality, Integrity and Availability§ Sharing actionable intel for operational
protection and response
CIF/SESAUTOMATED THREAT INTELLIGENCE
PASSIVE DNS – WHAT?
`
example.com’sauthoritative
DNS server
www.example.com
Global Internet
`
Global DNS
authoritativeDNS server
recursivecachingDNS server
My University
visitwww.my.edu
request to resolvewww.example.com
`
example.com’sauthoritative
DNS server
www.example.com
Global Internet
`authoritativeDNS server
recursivecachingDNS server
My University
visitwww.my.edu
where is the authoritative for example.com?
`
example.com’sauthoritative
DNS server
www.example.com
Global Internet
`authoritativeDNS server
recursivecachingDNS server
My University
visitwww.my.edu
response
`
example.com’sauthoritative
DNS server
www.example.com
Global Internet
`authoritativeDNS server
recursivecachingDNS server
My University
visitwww.my.edu
query
Global DNS
`
example.com’sauthoritative
DNS server
www.example.com
Global Internet
`authoritativeDNS server
recursivecachingDNS server
My University
visitwww.my.edu
response
Global DNS
`
example.com’sauthoritative
DNS server
www.example.com
Global Internet
`
Global DNS
authoritativeDNS server
recursivecachingDNS server
My University
visitwww.my.edu
response
`
example.com’sauthoritative
DNS server
www.example.com
Global Internet
`
Global DNS
authoritativeDNS server
recursivecachingDNS server
My University
visitwww.my.edu
Whee!
PASSIVE DNS – WHY?
EDUCATION
▪ Techbursts
▪Wikis
FUTURE (NOW) THREAT VECTORS
▪ Automated Access Controls▪ Industrial Control Systems▪ Internet of Things
Wrap up….
QUESTIONS?